In the text below you will find an overview of the main principles of personal and other data protection. INVENTI Development s.r.o, IČO: 24146692 DIČ: CZ24146692, with its registered office at Táborská 940/31, Nusle, 140 00 Prague 4, registered in the Commercial Register kept by the Municipal Court in Prague, under file number C 182939 (hereinafter referred to as the “company” or “administrator”), as the operator of the website www.inventi.cz (hereinafter referred to as the “Website”) and the provider of other Internet services, handles (processes and collects ) personal data in accordance with applicable regulations, in particular Regulation of the European Parliament and of the Council No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR") and Act No. 110/2019 Coll., on the processing of personal data and amending certain acts, and Act No. 127/2005 Coll., on electronic communications.

Data Protection Officer: Miroslav Kalinský, Email: privacy@inventi.cz (hereinafter referred to as DPO).

What personal data do we process?

Basically, process three types of personal data, depending on the legal grounds for processing:

1) personal data that we have obtained from you based on:

• GDPR Article 6 paragraph 1 letter b) processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken prior to entering a contract at the request of the data subject.

• GDPR Article 6 paragraph 1 letter c) processing is necessary for compliance with a legal obligation to which the controller is subject.

2) Personal data that we have obtained from you based on your consent to processing based on: GDPR Article 6 paragraph 1 letter a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

3) Personal data that we process based on: GDPR Article 6 paragraph 1 letter f) processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child.

Types of personal data collected and processed

The company collects the following data from users of our services:

If you fill out a separate contact form, we record your name, e-mail, telephone number or address, company name, registered office, identification number, in the event of a user signing up to subscribe to selected services, such as signing up via a contact and/or registration form for the purpose of participating in events and/or lectures, including webinars, organized by the Company, or for the purpose of downloading materials created by the Company and offered to the public, we record, for example, the user 's name, e-mail and other profile information (such as address, date of birth, profile photographer, geographical location), or data such as business name, registered office, place of business, identification number; Other user data is collected through cookies during your visit, as described here: Cookies

Finally, we obtain data from consumer competitions, surveys and questionnaires in which the user participates with his / her consent and which he/she voluntarily completes.

In the case of a person interested in employment within the "Career" section, additional personal data related to the recruitment process may be collected and processed.

Purpose of processing and collecting personal data

The data provided is collected primarily for the purpose of:

1. Use of services and products provided by the Company by third parties based on a contractual agreement with the Company and settlement of all rights and obligations arising from the order of the given service and product.

2. Winning prizes in consumer competitions organized by us.

3. Administration of contact forms for communication purposes.

4. Managing contact and / or registration forms and tailoring services to the needs and interests of individual users, ensuring user participation in events and / or lectures (including webinars) organized by the Company.​​

5. Sending commercial communications via e -mail or notifications about new services or their improvements on the Company's web portals, including other marketing activities of the Company, based on your subscription to these communications, in accordance with Act No. 480/2004 Coll., on certain information society services, as amended. Advertising and marketing materials of third parties are not currently sent by the Company. If they were to be sent, it would only be if you have subscribed to these communications. Unsubscribing from receiving commercial communications can be done via the unsubscribe option at the footer of each email, in the settings of the service for which the user registered to receive such communications, or by email: marketing@inventi.cz.

6. Sending out competition prizes and small gifts or goods and services ordered through any of the Company’s web portals. This data will be used exclusively for the delivery of the prize, gift or ordered goods and services or for verification of contact details.

7. Creation and distribution of advertising relevant to the interests of the user, so-called behaviourally targeted online advertising. Online behavioural advertising is a method of displaying advertising on visited websites so that the advertising is more relevant to the interests of the user and is thus maximally relevant to them. The data obtained in this way does not allow the user to be identified as a natural person in the real world and is collected and analysed strictly anonymously. Users have the option of choosing at any time whether to take advantage of more relevant advertising by logging in or out of behavioural targeting at the address below. In this context, strictly anonymized identifiers based on email addresses (so-called hashes) may be transferred to third parties for the purpose of automated behavioural targeting/segmentation of advertising to users of the Company’s services. However, it is not possible to identify or identify a specific user based on this data in any case.

8. In the “Career” section; if you apply for one of the vacant positions in our company through our website or otherwise, we will process the personal data you provide to us for the purpose of evaluating your application and the information contained therein to assess whether you are a suitable candidate for one of our positions. We may also conduct a pre -employment check on job applicants to, among other things, verify the accuracy of the information contained in your CV and other documents you provide to us. For specific positions, you may also be asked to provide us with a criminal record check. Pre - employment screening is always carried out to ensure its appropriateness, adequacy and compliance with applicable legal regulations. The legal basis for processing this data is the performance of contractual or pre - contractual relationships or your consent (where applicable).

9. Anonymous statistical recording: with each visit to our website or the services we provide, anonymous cookies are stored. These help to determine how many users visit our website repeatedly. However, this is purely anonymous, statistical data, without the possibility of identifying a specific user.

10. Resolving any disputes that may arise during a business relationship or during the recruitment process.

11. For complying with legal obligations arising, for example, from tax regulations and other legal regulations that the Company is obliged to comply with, and which require the processing of personal data.

The Company may use your personal data for the purpose of personal data automation, including for the purpose of profiling and targeted marketing.

The company does not use your personal data to automate personal data, including for the purpose of profiling and targeted marketing.

The Company will not collect excessive amounts of personal data or other information that is not relevant to the purposes for which the personal data is collected.

Conditions for expressing consent to the processing of personal data.

If the processing is based on consent, the controller must be able to demonstrate that the data subject has given consent to the processing of their personal data.

Where the data subject's consent is given in a written statement which also relates to other matters, the request for consent shall be made in a manner which is clearly distinguishable from those other matters and shall be intelligible and easily accessible, using clear and plain language. Any part of such a statement which constitutes a breach of this Regulation shall not be binding.

data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent given before its withdrawal. The data subject shall be informed of this before consent is given. It must be as easy to withdraw consent as it is to give it.

When assessing whether consent is free, careful consideration must be given to whether, among other things, the performance of the contract, including the provision of the service, is conditional on consent to the processing of personal data that is not necessary for the performance of the contract.

Consent to data processing must therefore be free, specific, informed and unambiguous.

What rights do you have in relation to the protection of personal data?

In relation to your personal data, you have the following rights:

1.Right to information about

• the identity and contact details of the controller and his representative,

• contact details of the trustee (if appointed),

• the purposes of processing personal data and the legal basis for processing, the legitimate interests of the controller or, where applicable, a third party,

• recipients or categories of recipients of personal data,

• the controller's possible intention to transfer personal data to a third country or an international organisation and the existence or absence of a Commission decision on adequacy, or a reference to appropriate safeguards and means of obtaining a copy of the data or information on where the data were made available.

2.Right to access personal data

• You may request access to your personal data or obtain information about what personal data concerning you is being processed and have access to this information:

• purposes of processing,

• the categories of personal data concerned,

• recipients or categories of recipients to whom the personal data have been or will be disclosed, recipients in third countries or international organisations,

• the planned period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period,

• the existence of the right to request from the controller the rectification or erasure of personal data concerning the data subject or the restriction of their processing or to object to such processing,

• the existence of the right to file a complaint with the supervisory authority,

• all available information about the source of the personal data, if not obtained from you, and the fact that automated decision -making, including profiling, is taking place, and meaningful information regarding the process used, as well as the significance and envisaged consequences of such processing for you.

• The controller shall provide a copy of the personal data being processed. For further copies, the controller may charge a reasonable fee based on administrative costs. The Commissioner or another authorised person may decide that the subject will be required to pay the costs and that his request may be rejected. If the request is made in electronic form, the information shall be provided in an electronic form that is commonly used, unless the data subject requests otherwise.

• can request access to your information via the email address privacy@inventi.cz

3.The right to correct or supplement inaccurate personal data.

• You have the right to request the controller to correct your inaccurate personal data.

• You also have the right to have incomplete personal data completed, including by providing an additional statement. When exercising this right, the purposes of the processing must be considered, and the controller will decide whether this is appropriate or not.

4.The right to erasure of personal data (the right to be "forgotten") in certain cases.

• You have the right to request the controller to erase your personal data. the controller is obliged to erase your personal data if one of the following reasons applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,

• you object to the processing and there are no overriding legitimate grounds for the processing,

• personal data were processed unlawfully,

• personal data must be erased to comply with a legal obligation laid down in Union or Member State law to which the controller is subject.

5.The right to erasure does not apply to the extent that processing is necessary for the establishment, exercise or defence of legal claims. More information can be obtained at the e-mail address: privacy@inventi.cz.

6.Right to restriction of processing

7.Right to notification of correction, erasure or restriction of processing

8.The right to request data portability.

9.The right to object or complain to processing in certain cases.

10.Withdraw your consent to the processing of personal data at any time.

11.The right to be informed of a personal data breach in certain cases.

Other rights set out in the Personal Data Protection Act and in the GDPR after its entry into force.

The right to file a complaint with the office for personal data protection:

• Office for Personal Data Protection, Lt. Col. Sochora 27, 170 00 Prague 7

Data retention period

In general, personal data is stored for the period necessary for the purpose for which it was processed. We store your data for the period necessary for the purposes of providing services, or until you withdraw your consent to the processing of personal data. This does not affect the Company’s right to process user data in accordance with the relevant generally binding legal regulations, for the purposes of resolving disputes and final settlement of all rights and obligations related to the provision of the relevant service, but this period does not exceed 10 years. Your personal data will be processed for the period for which you have given your consent to their processing, unless you withdraw your consent during this period. Consent cannot be given for an indefinite period and the period is stated in the text of the consent.

Based on applicable legal regulations, we are obliged to publish the user 's personal data, information about their Ip address, traffic or other user activities:

• based on requests from the court, the Czech Police, or other authorities active in criminal proceedings, including specialized departments (ÚOOZ, Customs Administration, etc.).

• enforcement of the terms of the contract by the abuser.

• as a means of protecting the security and integrity of the Company’s websites.

• as a means of exercising or protecting the rights, property and personal safety of other users of the Company’s services and other persons.

Transfer of personal data to third parties

The company does not share any personal information with third parties except in the following cases:

• the data is necessary for the provision of the Company’s services,

• based on your consent,

• entrusting personal data to processors who process personal data on behalf of company.

The Company is obliged to provide personal data based on law or upon order of a public authority. The Company's employees may also have access to personal data if it is necessary for the performance of their work duties.

The Company uses trusted third parties as service providers who, in some cases, process personal data on behalf of the Company and based on the Company’s instructions.

The company may use the following categories of providers (processors according to GDPR):

• data centre, hosting

• marketing service providers

• providers of analytical and recording services

• providers of public opinion polls or surveys​​

• business management service providers​

• task management and communication providers

• legal services, tax, accounting and auditing services

• recruitment and candidate verification providers

• information security service providers​​​

The Company will only transfer your data to countries outside the EU/European Economic Area if such transfer is in accordance with applicable law. This means, for example, that our provider is based in a country for which the European Commission has issued a decision that it provides an adequate level of protection for personal data, that standard contractual clauses and/or other transfer mechanisms are in place that provide adequate safeguards with regard to the protection of privacy and fundamental rights and freedoms of individuals, and, where necessary, that additional measures are applied that ensure that the data subject is provided with a level of protection that is essentially equivalent to that guaranteed by the GDPR.

Automatic processing and profiling

When processing your personal data, there is no automated decision-making, including profiling.

How is your personal data secured?

All personal data that you provide to us is secured by standard procedures and technologies. However, it is not objectively possible to completely guarantee the security of your personal data. Therefore, it is not possible to 100 % ensure that the personal data provided cannot be accessed by a third party, copied, disclosed, modified or destroyed by breaking our security measures.

In this context, we assure you that we regularly check whether the system does not contain weaknesses and has not been exposed to attack and we use such security measures that, if possible, there is no unauthorized access to your personal data, and which, considering the current state of technology, provide sufficient security. The security measures taken are then regularly updated.

without your help and responsible behaviour, we are not able to fully ensure the security of your data. Therefore, please help us ensure the security of your data by keeping your unique passwords and access details secret and by following basic security principles. Please always remember that e- mails may not be encrypted. Therefore, we strongly recommend not using these forms of communication when providing confidential information.

Can you contact us?

In case of any question about the protection of personal data or to withdraw consent to the further processing of your personal data, please use the e-mail: privacy@inventi.cz.

The contact information for our data protection officer is also privacy@inventi.cz.

More details can be found below in the Definition of Terms, the Main Principles of Personal Data Processing and the Lawfulness of Processing.

Definition of terms

Personal data

Any information relating to an identified or identifiable natural person ( hereinafter referred to as the "data subject " ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing

which is performed upon personal data or sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

By restricting processing

Marking stored personal data to limit their processing in the future.

Profiling

Any form of automated processing of personal data consisting of their use to evaluate certain personal aspects relating to a natural person, to analyse or estimate aspects concerning his or her performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymization

Processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that it is not attributed to an identified or identifiable natural person.

Records

Any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or distributed according to functional or geographical aspects.

Administrator

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, that law may determine the controller concerned or the specific criteria for its determination.

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient​​

The natural or legal person, public authority, agency or other body to which personal data are disclosed, whether a third party. However, public authorities which may obtain personal data in the context of a specific investigation in accordance with the law of a Member State shall not be considered recipients; the processing of such personal data by such public authorities shall be in accordance with the applicable data protection rules for the purposes of the processing.

Third party​

A natural or legal person, public authority, agency or other body which is not the data subject, the controller, the processor or a person directly subordinate to the controller or processor, but which is authorised to process personal data.

Agreement

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject 's wishes by which he or she, by a statement or by another clear affirmative action, signifies agreement to the processing of his or her personal data.

By breaching the security of personal data

A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or disclosure of personal data transmitted, stored, or otherwise processed.

Genetic data

Personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about his or her physiology or health and which result from the analysis of a biological sample of the natural person concerned.

Biometric data

Personal data resulting from specific technical processing relating to physical, physiological or behavioural characteristics of a natural person which enable or confirm a unique identification, for example a facial image or dactyloscopy data.

Health data

Personal data relating to the physical or mental health of a natural person, including data on the provision of health services that indicate their health status.

Main office

in the case of a controller with establishments in more than one Member State, the place where its central administration in the Union is located, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and that other establishment has the power to enforce the implementation of those decisions, in which case the establishment which took those decisions shall be considered the main establishment; in the case of a processor with establishments in more than one Member State, the place where its central administration in the Union is located, or, where the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities take place in connection with the activities of the establishment of the processor, to the extent that the processor is subject to specific obligations under this Regulation;

Representative

Any natural or legal person established in the Union who is designated in writing by the controller or the processor pursuant to Article 27 to represent the controller or the processor in relation to the controller's or processor's respective obligations under this Regulation.

Main principles of personal data processing

Personal data must be:

1. processed fairly, lawfully and transparently in relation to the data subject („lawfulness, fairness and transparency").

2. collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.

3. further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) („ purpose limitation").

4. adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed (“data minimisation”).

5. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (" accuracy „).

6. stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be stored for a longer period if they are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89 ( 1 ), provided that appropriate technical and organisational measures required by this Regulation are implemented to safeguard the rights and freedoms of the data subject ( " storage limitation ");

7. processed in a manner that ensures appropriate security of personal data, including their protection by means of appropriate technical or organizational measures against unauthorized or unlawful processing and against accidental loss, destruction or damage („ integrity and confidentiality „).

Lawfulness of processing

Processing is lawful only if at least one of the following conditions is met and only to the appropriate extent:

1. data subject has consented to the processing of their personal data for one or more specific purposes.

2. the processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken prior to entering a contract at the request of the data subject.

3. processing is necessary for compliance with a legal obligation to which the controller is subject.

4. processing is necessary to protect the vital interests of the data subject or another natural person.

5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child.